Date: Thu, 5 Dec 1996 11:15:43 -0700 (MST) From: Nate Williams <nate@mt.sri.com> To: freebsd-security@freebsd.org Subject: forwarded message from Steve Lalonde Message-ID: <199612051815.LAA16900@rocky.mt.sri.com>
next in thread | raw e-mail | index | archive | help
------- start of forwarded message (RFC 934 encapsulation) -------
From: "Steve Lalonde" <steve@enta.net>
Sender: owner-bsdi-users@lists.gateway.com
To: <bsdi-users@bsdi.com>
Subject: innd 1.5
Date: Thu, 5 Dec 1996 17:38:46 -0000
just seen this in bugtraq thought you guys/girls might like to know.
In article <yy3ybfks8kj.fsf@velo.pp.vix.com>,
James Brister <brister@vix.com> wrote:
>
>I'm pleased to announce the first full release of an ISC sponsored version
>of INN (version 1.5).
INN 1.5 contains a serious remotely exploitable security hole. I would
not recommend using this version as released.
The security hole allows outsiders to execute arbitrary commands on
your news server, by embedding the commands in the headers of control
messages. This security hole still exists even if your control.ctl
file disallows all automatic group creation, or if your control.ctl
file is set up to run the pgpverify program on control messages. Also,
it doesn't matter whether outsiders have TCP connectivity to your news
server, only that their news articles can reach your server somehow.
Outsiders' access will have the uid of innd (often username "news").
This is the same issue I posted about in news.software.nntp on 7 July
1995 <3tjsk4$fu8@senator-bedfellow.MIT.EDU>. This security hole also
exists in previous versions of INN, including INN 1.4 and (to the best
of my knowledge) "inn1.4unoff4", although I have not installed or used
any of the "inn1.4unoff" packages myself.
I think the attached patch will fix this problem for INN 1.5. I also
suspect that the changes it makes will have essentially the same
effect on versions of INN based on 1.4. For the INN 1.4 release, it
also should fix an unrelated problem associated with text mailed by
the rmgroup script possibly having a line-initial ~ generated by
echo "${FROM} requested that ${P1} be removed."
(This is a different ~ problem than the one in "1.4sec" or "1.4sec2".)
This ~ issue is the only reason I know of that the patch below is
preferable to the patch I posted in 1995. However, the patch below is
possibly more consistent with the INN 1.5 code, in terms of how
strings are checked and how restrictive the character set is for
strings manipulated by a script that uses the sh "eval" command.
Matt
*** parsecontrol.old Fri Nov 29 18:32:18 1996
- --- parsecontrol Tue Dec 3 01:50:43 1996
***************
*** 15,21 ****
az=abcdefghijklmnopqrstuvwxyz
ZN=0123456789
# Attempt to sanitize the address
! FROM="`echo \"$1\" | tr ${AZ} ${az} | tr -dc ${az}${ZN}+-_.@%`"
REPLYTO="$2"
case "$3" in
"")
- --- 15,21 ----
az=abcdefghijklmnopqrstuvwxyz
ZN=0123456789
# Attempt to sanitize the address
! FROM="`echo \"$1\" | tr ${AZ} ${az} | tr -dc \\\055${az}${ZN}+_.@%`"
REPLYTO="$2"
case "$3" in
"")
***************
*** 55,60 ****
- --- 55,76 ----
writelog $MOST_LOGS/badcontrol.log "`date` Bad header by
${FROM}"
exit
fi
+ fi
+
+ # Check characters in values of variables that will be inside an eval
+ TRANS1="`echo \"$1\" | tr ${AZ} ${az} | tr -dc \\\055${az}${ZN}+_.`"
+ if [ ${1}X != ${TRANS1}X ]; then
+ rm -f ${TEMP}
+ ${SED} -e 's/^~/~~/' < ${ARTICLE} \
+ | ${MAILCMD} -s "Malformed newsgroup name by ${FROM}"
${NEWSMASTER}
+ exit
+ fi
+ TRANSP="`echo \"$PROG\" | tr ${AZ} ${az} | tr -dc \\\055${az}${ZN}+_.`"
+ if [ ${PROG}X != ${TRANSP}X ]; then
+ rm -f ${TEMP}
+ ${SED} -e 's/^~/~~/' < ${ARTICLE} \
+ | ${MAILCMD} -s "Unexpected program name by ${FROM}"
${NEWSMASTER}
+ exit
fi
ACTION=mail
Steve Lalonde
Systems Manager
ENTANET International Ltd
The answer is YES whats the question?
------- end -------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199612051815.LAA16900>